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Abstract. Message-passing based concurrent languages are widely used 
in developing large distributed and coordination systems. This paper 
presents the buffered vr-calculus — a variant of the vr-calculus where 
channel names are classified into buffered and unbuffered: communica- 
tion along buffered channels is asynchronous, and remains synchronous 
along unbuffered channels. We show that the buffered 7r-calculus can be 
fully simulated in the polyadic 7r-calculus with respect to strong bisim- 
ulation. In contrast to the 7r-calculus which is hard to use in practice, 
the new language enables easy and clear modeling of practical concur- 
rent languages. We encode two real-world concurrent languages in the 
buffered yr-calculus: the (core) Go language and the (Core) Erlang. Both 
encodings are fully abstract with respect to weak bisimulations. 

Keywords: process calculus, formal model, full abstraction 

1 Introduction 

Concurrent programming languages become popular in recent years thanks to 
the large demand of distributed computing and the pervasive exploitation of 
multi-processor architectures. Unlike the shared-memory concurrency model, 
which is now mainly used on multi-processor platforms, message passing based 
concurrent languages are particularly popular in developing large distributed, 
coordination systems. Indeed, quite a few real-world concurrent languages are 
intensively used in industry. The most well-known languages are probably Er- 
lang, developed by Ericsson [I], and the much younger language Go, developed 
by Google [B]. Both languages achieve their asynchronous communication via 
order-preserving message passing. 

On the other side, the 7r-calculus |11I15| has shown its success in modeling 
and verifying both specifications and implementations. Its asynchronous vari- 
ant (3|8i is a good candidate as the target formal model. Despite the fact that it 
is called asynchronous, communication in the asynchronous 7r-calculus is however 
synchronous. It is shown in |2] that the communication modelled by the asyn- 
chronous TT-calculus is equivalent to message passing via bags — senders put 
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messages into some bags, and receivers may get arbitrary messages from these 
bags. This resuh indicates that additional effort should be made to respect the 
order of the messages, which is adopted in the implementation of many concur- 
rent languages. 

In view of this, we may expect a formal model where asynchronous commu- 
nication is supported natively. In fact, our primary goal is to achieve a formal 
model by which we can easily define a formal semantics of Go and do verification 
on top of it. The developers of Go claim that the concurrency feature of Go is 
rooted in CSP 0, while we show that the 7r-calculus should be an appropri- 
ate model for Go as CSP does not support transmission of channel names over 
channels. 

In the spirit of the name passing mechanism of the 7r-calculus and the channel 
type of the Go language, we extend the 7r-calculus by introducing a special kind 
of names, each associated with a first-in-first-out buffer. We call these names 
buffered names. Communication along buffered names is asynchronous, while 
that along unbuffered (normal) names remains synchronous. We call this variant 
language the buffered 7r-calculus, and abbreviate it as the 7r;,-calculus. 

We develop the TTb-calculus by defining its operational semantics as a labelled 
transition system and supplying an encoding into the polyadic vr-calculus. We 
also present translations of the languages Go and Erlang into the 7rf,-calculus and 
show that the model is sufficient and relatively easier for modeling real-world 
concurrent languages. 

1.1 Related Work 

Beauxis et al introduced the 7r<8 -calculus in order to study the asynchronous 
nature of the asynchronous 7r-calculus [2] . Their asynchronous communication is 
achieved via explicit use of buffers. In case that the buffers are ordered structures 
such as queues or stacks, the asynchronous communication modelled by Trtg 
differs from that by the asynchronous 7r-calculus. While communication in the 
TTsg-calculus is always asynchronous, we keep both synchronous and asynchronous 
communication in the Tr^-calculus, through different types of names. 

Encoding programming languages in process calculus have been studied by 
many researchers. Milner defines the semantics of a non-trivial parallel pro- 
gramming language by a translation into CCS in [5]. In [IT], a translation from 
a parallel object oriented language to the minimal 7r-calculus is presented. The 
correctness of the translation is justified by the operational correspondence be- 
tween units and their encodings. Our treatments to the Go language follows 
the approach in |17| . In addition, we show a full abstraction theorem, namely 
equivalent Go programs are translated into equivalent tt;, processes. 

For functional languages, Noll and Roy [T2] presented an initial transla- 
tion mapping from a Core Erlang |3] to the asynchronous 7r-calculus. Later on 
they |14j improved the translation by revising the non-deterministic encoding 
of pattern matching based expressions, and by adding the encoding for tuples. 
Their translations, however, are not sound in the sense that the order of mes- 
sages is not always respected. By modelling the mailbox structure explicitly by 
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buffered names in the TTb-calculus, we obtain a more accurate encoding which is 
fully abstract with respect to weak bisimulation. 



1.2 Outline 

The rest of the paper is structured as follows. Section [2] presents the syntax and 
semantics of the TTb-calculus and a simple encoding in the polyadic 7r-calculus [TU] • 
We show that this encoding preserves the strong bisimulation relation. In Sec- 
tion [3] we define a formal semantics for Go and present an encoding of Go in the 
TTfj-calculus. Section 2] is devoted to Core Erlang, in which an improved encoding 
is presented. And finally, Section [5] concludes the paper. 



2 The iTb- Calculus 

We assume an infinite set TV of names, ranged over by a, b, c, d, x, y. Processes 
are defined by the following grammar. 



P,Q,... :=^7r,.P, 



P \ Q {vc: n)P {vc)P 



IP 



where tt = c(x) | c{d) \ r. 

Most of the syntax is standard: J2iei ^i-^i the guarded choice (/ is finite), 
which behaves nondeterministically as one of its components T^j-Pj for some 
j S /; composition P\Q acts as P and Q running in parallel; IP is the replication 
of process P; Prefixes c{x) and c{d) are input and output along name c; and r 
is the silent action. We write for the empty guarded choice, it is the process 
which can do nothing. 

The TTfe-calculus extends the 7r-calculus in the fact that names can be buffered 
or unbuffered. Unbuffered names are names in the 7r-calculus, and buffered names 
have the buffer attribute specified by a buffer store. A buffer store, denoted by 
B, is a partial function from buffered names to pairs {n,l), where n is a posi- 
tive integer representing the capacity of the buffer, and I is a list of names in 
the buffer, with the same order. Both {vc)P and {vc : n)P are called new pro- 
cesses. The (standard) new process {vc)P specifies that c (whether buffered or 
unbuffered) is a local name in P. The extended new process {vc : n)P creates 
a local buffered name c, whose associated buffer has the capacity n for asyn- 
chronous communication inside P. Notice that {vc)P only says that the name 
c is local and does not imply that c is unbuffered — c can be a buffered name 
whose buffer is already created in the buffer store. 

Input process c{x).P and output process c{d).P can communicate with each 
other along name c when they run in parallel. If c is an unbuffered name, the 
communication is synchronous and happens as in the 7r-calculus: the object d is 
passed from the output side to the input side. If c is a buffered name, then the 
communication becomes asynchronous: the output process simply puts d into 
the buffer of c if it is not full and continues, or blocks if the buffer is full; the 
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input process retrieves the oldest value from the buffer of c if it is not empty 
and continues, or blocks if the buffer is empty. 

As usual, we write c for a sequence of names, and abbreviate {vci) . . . {yCn)P 
to {vci . . . Cn)P- A name x is bound if it appears in input prefix, otherwise it is 
free. We write P{c/x} for the process resulting from simultaneously substituting 
Ci for each free Xi in P. The newly created name c in (yc : n)P or (yc)P are 
local names. A name is global if it is not localized by any new operator. We use 
ln{P) and gn{P) for the set of local names and global names occurring in P. 

Throughout the development of the paper, we assume the following De 
Barendregt name convention: 

Local names are different from each other and from global names. 

For instance, we shall never consider processes like a{c) .{va)P or {i'a){i>a)P. 
We note that this convention is dispensable and we simply adopt it to make 
the presentation of the calculus simple and clean. One can also remove the 
convention and use syntactic rules to manage name conflicts, but dealing with 
names in buffers can be very subtle. 

A process can send a local name into a buffer. The fact that a name stored 
in buffers is local must be tracked, because it may affect the name scope when 
another process retrieves this name from the buffer. The convention also works 
for buffer stores. We shall discuss more on this when defining the operational 
semantics. Inside a buffer store, a value of the form (i^c) indicates that the 
name c was sent into the buffer when it was local. Given a buffer store B, we 
write gn{B{b)) for the set of global names that occur in &'s buffer, and gn{B) = 
Ubedom(e) 9^{^{^))- Similarly ln{B{b)) and ln{B) for local names in B{b) and B. 
The buffer store B{c/d} is obtained by substituting c for each d in B. 

We say a process Q is guarded in P, if every occurrence of Q in P is within 
some prefix process. Intuitively, a guarded process cannot affect the behavior 
of its host process until the action induced by its guarding prefix is performed. 
New operators are guarded in P if all new processes are guarded in P. 

The structural congruence =b with respect to the buffer store B is defined 
as the smallest congruence relation over processes satisfying the laws in Table [TJ 
Structural congruence allows us to pull unguarded new operators to the "outer- 

1. P =e Q, if Q is obtained from P by renaming bound names, or local names not 
occurring in B. 

2. P \ Q =B Q \ P;P \ [Q \ R) =B (P \ Q) \ R\P \ =B P. 

3. \P=bP \ \P. 

4. {vc){vd)P =B {iyd){vc)P . 

5. \vc)0=bO, iic<^ln{B). 

6. {)yc){P I Q) =8 (t'c)P I Q, if c ln{B) A c ^ gn{Q) 



Table 1. Structural Congruence 
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most" level. 

Buffer store B is valid for process P if each local name of B appears in some 
new operator occurring at the outermost level of P, i.e., for every c G ln(B), 
P=B {vc)P' for some P' . 



2.1 Operational Semantics 



c ^ dom(B) c ^ dom(B) P, B{cluc} P' , B' 

lU OU — Open 



c{x).P,B ^ P{d/x},B c{d).P,B^P,B ^uc)P,B P' ,B' 

B{b)^{n,[d] --.l) B(b) = {n,l); \l\ <n 

IB — ^ — — OB 



b{x).P,B^ P{d/x},B[b^ {n,l)] b{d).P,B^ P,B[b ^ {n,l:: [d])] 

B{b) = {n,l); \l\ <n- b^ln{P) B{b) ^ {n,[d] :: l); b ^ ln{P) 

IBG OBG — 

P,B^P, B[b ^in,l:: [d])] P,B^P, B[b ^ (n, /)] 

jG/; TTj.Pj,B ^ P',B' P,B^P',B; Q,B^Q',B; c ^ dom(B) 

Sum Com 

E,6iT,.Pi,B^P',Z3' P \ Q,B ^ P' \ Q',B 

P,B ^ P' ,B'; new operators are guarded in P I Q 

Par 



P \ Q,B ^ P' \ Q,B' 

P, B{c/vc} ^P',B'; c ^ n(a) P =b P'; P' , B ^ Q' , B'; Q' =b' 

New Stru 



{vc)P, B ^ {vc)P', B'iuc/c} P,B^Q, B' 

NewB {ub : n)P, B A {iyb)P, B[b ^ (n, [ ])] 

Table 2. Operational Semantics of -Kb 



The (early) transition semantics of TTf, is given in terms of a labelled transition 
system generated by the rules in Table [H The transition rules are of the form 
P,B ^ P',B', where P,P' are processes, B, B' are buffer stores and a is an 
action, which can be one of the forms: the silent action r, free input c{d), free 
output c{d) or bound output c{vd). We write n{a) for the set of names occurring 
in a. 

These rules are compatible with the transition rules for the 7r-calculus. lU and 
DU are rules for unbuffered names and synchronous communication is specified by 
Com. IB and OB define the asynchronous communication along buffered names: 
h{x).P performs a t action by receiving the "oldest" name d from 6's buffer, 
while b{d).P performs a t action by inserting d into &'s buffer. Communication 
along buffered names is asynchronous because it involves two transitions (IB and 
OB) and other actions may occur between them. 

IBG and OBG indicate that a buffer store itself may have actions. If 6 is a 
global buffered name, that is {vb) does not occur in P, then we can insert names 
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to or receive naraes from Vs buffer directly. In New and Open, the substitutions 
on the buffer store are for the sake of validity. NewB is the rule for the extended 
new process. After creating an empty buffer for b, the capacity parameter n is 
dropped, leaving the new operator indicating that 6 is a local name. 

The Par rule describes how processes can progress asynchronously, which 
typically happens with buffered names. However, unlike in the 7r-calculus, where 
we have open/close rules to manage name scope extension, in the 7r;,-calculus, it 
is hard (perhaps impossible) to define an appropriate close rule because when 
a local name is exported to a buffer, it becomes hard to track which process 
will retrieve the name so as to determine the name scope. For instance, consider 
the process Pi|P2|^3 where Pi = (ya)b{a).P[, P2 = b{y).---, P3 = 6(2). •• • 
and a valid buffer store B — [6 i-> (2, [ ])]. In the 7r;,-calculus, Pi inserts the 
local a into 6's buffer by a r action, then it can possibly be received by P2 or 
P3, hence tracking the scope of a becomes very hard. Our solution here is to 
prevent processes from inserting local names into buffers when they are running 
in parallel with other processes. For processes like the above example, we extend 
the scope of a to the entire process by structural congruence laws and obtain 
a process in the form (j/a)(6(a).P{ IP2I-F3) thanks to the name convention. This 
avoids the scope problem. 

We have adopted the name convention which simplifies the definition of the 
labeled transition system. Dealing with names with buffers is subtle and the 
transition rules without the name convention are discussed in the next subsec- 
tion. 

The following proposition says that transition rules preserve buffer validity: 

Proposition 1. If B is valid for process P and we have the transition P,B ^ 
P\B', then B' is valid for P' . 

As in the 7r-calculus, strong bisimulation over the set of TTf, processes can be 
defined as follows. 

Definition 2. A symmetric binary relation TZ over tt^ processes is a bisimula- 
tion, if whenever {P, Bp)n{Q, Bq) and {P,Bp) A [P'.B'p), 

3(Q', B'q) . (Q, Bq) a (Q', B'q) a (P', B'p)n{Q', B'q) 

Strong bisimilarity ^ is the largest strong bisimulation over the set of TTb pro- 
cesses. {P,Bp) and {Q,Bq) are strongly bisimilar, written as {P,Bp) {Q,Bq), 
if they are related by some strong bisimulation. 

Transition Rules without Name Conversion As mentioned above, some 
transition rules require extra conditions to deal with name conflict without the 
name conversion. These rules are shown in Table [31 

The problem is how can we determine a local name in the buffers refers to 
which local name of the process. For instance, suppose P = {vc){vc)P' with 
valid buffer store B = [& 1— ?• (5, [i^c])]. We have no idea the vc in B refers to which 
one of the two local cs in P. Therefore we first assume the local names in buffers 
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P,B{c/uc} ^ P',B'; c^n{a); c ^ gn{B); c^ln{B') 

New* 

[yc)P, B ^ {vc)P', B'{vc/c} 

b (i_ dom(S) 

NewB* 

{vh : n)P, B A (i.6)P, B[b (n, [ ])] 

P, B{c/vc} ^ P',B'; c ^ gn{B) 
Open* 

{uc)P,B^P',B' 
Table 3. Operational Semantics without Name Conversion 



are localized by the "outermost" and "leftmost" new operator of the process, 
and add additional conditions to transition rules to respect the assumption. 

In New*, for those global c in B, they are semantically different from the local c 
in P. For example P = h{c).{i'c)b{c), with B = [6 ^ (5, [ ])]. A r transition inserts 
the global c into 6's buffer, and we have P' = {vc)h{c), with B' = \p ^ (5, [c])]. 
At this point, we intend to insert the local c into 6's buffer, this local c is 
apparently different from the global c already in the buffer. We add the condition 
c ^ gn(B) to enforce an renaming of the local c of P before the insertion. The 
same discussion applies to the same extra condition of Open*. 

In rare cases, another condition is required for New*. Suppose, for instance, 
P = {vc){vc)b{c)l}{c), with B = \b ^ {f>,[ ])]. According to existing New rule, the 
process may perform a r action inserting a local c into Vs buffer and become 
{vc){vc)h{c) , with buffer store changed to B[6 i->- (5, \vc\)] where the local c is 
actually localized by the second {vc). But by our assumption, it would refer to 
the first local c of the process. We avoid this inconsistency by introducing the 
condition c ^ ln{B'). 

The condition b ^ doiii(S) in NewB* guarantees that a fresh buffered name is 
used. 



Examples We demonstrate these transition rules by showing some examples. 
The following example illustrates the asynchronous communication by buffered 
names. 

Example 3. P = (ya)b{a).a{x) \ b{y).y{c) \ R&ndB=[b^ (5, [ ])] 

{,ya)b{a).a{x) \ b{y).y{c) \ R, B[b ^ (5, [ ])] 
=B (H(6(a}.a(x) I biy).y{c) \ R), B[b ^ (5, [ ])] 
New ^ {i^a){a{x) \ b{y).y{c) \ R), B[b ^ (5, [z/a])] 
New ^ (uajiaix) | a{c) \ R), B[b i-). (5, [ ])] 

P is a parallel composition, we may not use Par immediately as it contains an 
unguarded new process. After moving the new operator to the outermost level, 
we may apply the New rule which induces a r transition 'sending' the local a into 
6's buffer. Notice that the local a is not directly inserted into the buffer, but in 
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a substituting way — a is inserted into 6's buffer in the premise of New, then a 
is replaced by z/a in the conclusion. The second r step describes the 'receiving' 

of a local name from a buffer. 

The next three examples illustrate the extra New* rule. 

Example 4- P = b{a) .{i'a)b{a) .b{a) and B = [b i-^ {5,[ ])] 

b{a).{ua)b{a).b{a),B[b^ {5,[])] 
IB A {i^a)b{a).b{a), B[b ^ {5, [a])] = B' 

=B' {va')b_{a')rb{a'), B[6 ^ (5, [a])] 
New* ^ {va')b{a'), B[b ^ (5, [a, va'])] 

New* ^ {i/a')0, B[b i-^ (5, [a, ua', va'])] 

The first r step follows from IB. At this point, the local name a oc;curs free in 
buffer store, hence an a-conversion is required. After renaming a to a', a second 
T transition 'sending' the local name to 6's buffer. 

Example 5. P = {va)b{a) .{va)b{a) and S = [6 (5, [ ])] 

{va)b{a).{va)b{a), B[b ^ (5, [ ])] 
New* a ii^a){i^a)b{a), B[b ^ (5, [lya])] = B' 

=B' {va)\va')b{a'), B[b ^ (5, H)] 
New* {L'a){va')0, B[b i-^ {5,[va,i'a'])] 

After inserting the local a into the buffer, the process contains two outermost new 
operators and tlioy are syntactically the same (semantically different) . Following 
New*, we first determine the action of (i/a)6(a) with B[b i->- (5, [a])]. Since the 
local name a occurs free in the buffer store, an a-conversion is required. After 
that, a r transition results in {pa')0 with buffer store B[b (5, [a, I'a'])]. Finally, 
all the a in buffer store are modified back to va. 

Example 6. P = {i'a){ua)b{a).b{a) and B = [6 i->- (5, [ ])] 

{ua)b{a).b{a), B[b H- (5, [ ])] ^ (m)6(a), B[b ^ (5, [ua])] 

{va){va)b{a)J>{a), B[b ^ (5, [ ])] = B' 
=B' {iya){iya')h{a').b{a'), B[b^ {5,[])] 
New* a {iya){iya')b{a'), B[b ^ (5, [ua'])] 
New* a {ua){ua')0, B[b ^ (5, [ua', ua'])] 

P contains two outermost new operators at the beginning. We first determine 
the action of {ua)b{a)M{a) with buffer B[b i->- (5, [ ])]. A r transition leads to 
{ua)b{a) with B\b M- (5, [ua])] where the local a actually refers to the second ua 
of the original process. Hence an a-convcrsion of the second ua, is required to 
distinguish itself with the first one. This requirement is captured by a ^ ln{B') 
in New*. 
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An interlude of Close Rule and Structure Congruence In tt calculus, 
including which law in structure congruence and which other rule in transition 
rules is a trade-off. This phenomenon also exists in our TTf, calculus. One may ask 
for including a similar ClosEtt rule, which generates a r action by synchronizing 
an input and a bound output action, and omitting those scope extension laws 
in structure congruence. 

CLDSEtt 

P I Q A (i.a)(F' I Q') 

In Close^, the local name moves to the action in the premise and to the outer- 
most level in the conclusion. What should the rule be in Tr^? 

Suppose P performs a r action sending a local name a to 6's buffer and 
becomes P', and at some point in the future Q performs a r action receiving 
this local name from the buffer and becomes Q' , the scope of a should contain 
both P' and Q'. But if P' derives to other process during the period between the 
two silent actions, how can we determine which processes we should encompass 
by the new operator va. 

In the TT-calculus, communications are synchronous, input process would pro- 
ceed unless a complement (bound) output process is ready, and vice verse. How- 
ever, in the 7r;,-calculus, communications along buffered names are asynchronous, 
other actions may occur between the two transitions. For this reason, we choose 
scope extension laws instead of some Close rules. 

2.2 Encoding in the Polyadic iJ-Calculus 

We demonstrate an encoding of the 7rf,-calculus in the polyadic 7r-calculus. 

Intuitively, a tt;, name c is encoded into a pair of tt names (ci,C2) by the 
injective name translation function N. In the name pair, ci is called the input 
name and C2 the output name of c. In addition, input and output names for 
unbuffered names are identical, but not for buffered names. The two translation 
names of buffered name b are exactly the names along which a buffer process 
modelling the buffer of b receives and sends values. 

1. If a is a unbuffered name, then a\ — a2 where N{a) = (ai,a2). 

2. If 6 is a buffered name, then bi ^ 62 where N{b) = (61, 62)- 

3. For any two names c / d, ci 7^ di A ci / ci2 A C2 7^ di A C2 7^ ^2. 

Table 4. Name Translation Function A'^ 



The buffer process is defined in Table [SJ Intuitively speaking, Pn,L(&i,&2) is 
the TT representation of 6's buffer, where n denotes the capacity and L is a list of 
TT name pairs. This process may further receive a pair of names along its second 
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F„,L{bi,b2) = 62(a;i,x2).F„,i,(fei,62) (ILI=0) 
where Li = [(a::i,a;2)] 

Fn,L{bi,b2)'^= b2{xi,X2).F„,LAbi,b2) + bI{vi,V2).F„,L2ibi,b2) (0< ILI < n) 
where Li = L :: [{xi,X2)];L = [{vi,V2)] :: L2 

62) =^'6r(wi,^^2).F„,i, (61,62) (ILI =n) 
where L = [{vi,V2)] :: I/2 

Table 5. Buffer Process F„^l 



parameter 62 if L is not full ( I L I < n) or send a pair of names along its first 
parameter bi providing L is not empty. 

The translation function |-] takes a TTf, process and a valid buffer store as 
parameter and returns a single tt process. The encoding of a buffer store is a 
composition of buffer processes each representing a buffered name's buffer. For 
processes, the encoding differs from the original process in the new operators and 
prefixes. A new operator is encoded into two new operators localizing the pair 
of translation names. The encoding of input prefix c{x) is also an input prefix 
but the subject is c's input name ci, while the encoding of output prefix c{d) 
has the output name C2 as the subject. Finally, in the encoding of an extended 
new process {i^b : n)P, a buffer process representing 6's buffer is added. 

The action translation function M maps tt^ actions to corresponding tt ac- 
tions, it is defined similar to the encoding of prefixes. 

With an abuse of notation, we also write |P] and |S] for the encoding of P 
and B respectively. The translation function |-| , along with the bijective action 
translation function M are defined in Table |6l 

The following properties are apparent. Substitutions can be postponed until 
after the translation. 

Proposition 7. For a process P, and the translation function |-| 

lP{c/x}j = IP1{C1,C2/X1,X2} 

where N{x) — {xi,X2) and N{c) = (ci,C2) 

And structure congruent processes have the 'same' encodings. 
Proposition 8. If P =b Q, then |P,B] = IQ,B\ 

These propositions can by proved by induction on the structure of P 

Pull Abstraction The following two lemmas show that transitions of a TTb 
process can be simulated by its encoding, and no more transition is introduced 
by the encoding. 



Lemma 9. Suppose {P,B) ^ {P',B'), then {P^Bj — ^ lP\B'j. 
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lc{x).Pj 
lc(d).P} 

I Q] 

l{ub:n).P] 

m 



IP, SI 



Ci(xi,X2).IP] 
Cj(dl,d2).[P] 

m I [Qi 

(i.&i62)r.([P]|F„,[,(6i,62)) 

(I/C1C2)[P1 

m 

where S(b) = (n,,, [d^ . . d"']);Lt = [(dj , 4) • • • {dT,dT)] 

( iuciC2)lP',B{c/uc}] if c e Zn(B) U (dom(S) n /n(P)) 
< and P EEB (i/c)P' 

[ [P,S] = [PI I [SI otherwise 



M(q) 



'ai(cii,d2) a = a(ci) A a ^ dom(S) 
02(^1,^2) a = a{d) A a ^ dom(B) 
a^ih'di, ud2) ce = 'a{vd) f\ a ^ dom(i3) 
62(di,d2) a = &(d) A 6 G dom(i3) 
h{di,d2) a = b{d) A 6 G dom(B) 
b\{pd\,vd2) a — b{vd) A 6 G dom(Z3) 



Table 6. Translation Function f-l and Action Translation Function M 



Lemma 10. Suppose |P, S] R, then {P,B) A (P',i3') and i? = {P'^B']. 



Strong bisimulation relation is retained in the translation. 
Lemma 11. If{P,Bp) ^ {Q,Bq), then |F, Z?p] ^ IQ,eQ]. 
Proof. Wc show the following relation 7?. is a strong bisimulation. 

TZ={ilP,BpllQ,BQ]) I iP,Bp) ^ iQ,BQ)] 

Suppose |P, Bp] i?, then by lemma [TU] 

R = lP',B'pj and (P,i3p) A 
Since (Q,Bq) ^ (Q',Bq), by lemmeE] 

and also ([P',Sp], e n because (P',S^) (Q',^^) 

The other direction is the same. 

Lemma 12. IflP,Bpj ~ [Q,Bq1, t/ien (P,Sp) ^ (g,i3Q), 
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Proof. We show the following relation 7?. is a strong bisimulation. 

n={{{P,Bp),{Q,BQ)) I IP,Bp]^IQ,Bq]] 

Suppose {P,Bp) ^ {P\B'p), then by lemmaE] 



lP,Bpj^lP',B'pj 



Since IQ, Bq] by lemmeHU] 

R=lQ',B'Qj and (g, Z?q) A (g', B^) 

and also {{P',B'p), {Q',B'q)) e TZ because IP',^^ [g',^Q] 

The other direction is the same. □ 

It follows that the encoding preserves strong bisimulation. 
Theorem 13. (P,Bp) ^ iQ,BQ) if and only iflP,Bp] ^ IQ,Bq]. 

3 The Go Programming language 

The Go programming language is a general purpose language developed by 
Google to support easy and rapid development of large distributed systems. 
This relatively young language inherits many good qualities of its ancestor 
while at the same time introduces dozens of innovations for efficient and effec- 
tive programming. One of the most fascinating innovations is the concurrency 
feature which extremely simplifies the construction of concurrent applications. 
This section presents a formal operational semantics of the (core) Go language 
and a fully abstract encoding in the TTb-calculus. 

The syntax of a core of Go is presented in Table [T] An online specification 
of Go can be found at its website [6] . 

The channel type, coupled with the concept called Go-routine, constitutes the 
core of Go's concurrency system. Channel types are of the form chan t, where t is 
called the element type. Channels (ch) are first-class values of this language, and 
they are created by the make expression make(chan t,n), where chan t specifies 
the channel type and the integer n specifics the size of the channel buffer. Notice 
that n must be non-negative and if it is zero, the created channel will be a 
synchronous channel. 

Go-routines are similar to OS threads but much cheaper. A Go-routine is 
launched by the statement go f{vi . . .w„). The function body of / will be ex- 
ecuted in parallel with the program that executes the go statement. When the 
function completes, this Go-routine terminates and its return value is discarded. 

Communication among Go-routines is achieved by sending and receiving op- 
erations on channels. Sending statement ch<-v sends v to channel ch, while 



^ Goole has claimed that Go is used in production now. Specifically, the website of Go 
(golang.org) and the download site ( dl . google . com ) are written in Go. 
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Types: 



t ::= int | chan t 



Expressions: 



e, 61,62, 



::= X Variable 



n. Integer 
I ch Channel 



I maie(chan t,n) Channel creation 



I <-6 Receiving 



Statements: 



s, si,S2, ■ ■ ■ ::= X = e Assignment 



I ei<-e2 Sending 

I si ; S2 Sequential 

I go /(ei . . . e„) Go-routine 

I select {ci . . . Cn} Selection 



where ci, C2, 



::= case x = <-e : s \ case 6i<-62 : s 



Table 7. Syntax of the (core) Go 



receiving <-ch, regarded as an expression in Go, receives a value from ch. Com- 
munication via unbuffered channels are synchronous. Buffered (non-zero sized) 
channels enable asynchronous communication. Sending a value to a buffered 
channel can proceed as long as its buffer is not full and receiving from a buffered 
channel can proceed as long as its buffer is not empty. 

select statements introduce non-deterministic choice, but their clauses re- 
fer to only communication operations. A select statement randomly selects a 
clause whose communication is "ready" (able to proceed), completes the selected 
communication, then proceeds with the corresponding clause statement. 

Without loss of generality, we stipulate that a Go program is a set of function 
declarations, each of the form 



A Go program must specify a main function, which we shall refer to as f start in 
the sequel, as the entry point — running a Go program is equivalent to executing 
go fstarti- ■ ■) with appropriate arguments. For the sake of simplicity, we only 
consider function calls in go statements and we assume that all functions do 
not return values and their bodies contain no local variables other than function 
arguments. 

3.1 Operational Semantics 

The structural operational semantics of Go is defined by a two-level labelled 
transition system: the local transition system specifies the execution of a single 
Go-routine in isolation, and the global transition system describes the behavior 
of a running Go program. 

We first define the evaluation of expressions. An expression configuration is 
a triple (e, a, 6c), where e is the expression to be evaluated, a is the local store 



func f{xi ...Xn) {s} 
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mapping local variables to values, and 5c is the channel store mapping channels 
to triples {n,l,g), where n is the capacity of the channel's buffer, / is a list 
of values in the channel buffer, and 5 is a tag indicating whether the channel 
is local (0) or global (1). The transition rules between expression configurations 
HH>g are defined in Table[Sl where actions can be either silent action r, or r(cft., v) 
denoting receive action. We often omit r from silent transitions. 



Var {x,a,5c) M'g {a{x),a,Sc) 

ch dom((5c 



Mak 



RvE 



RvU 



(make(chaii r, n), o", 5c) {ch, a, 5c[ch (n, [ ], 0)]) 
(e,CT,(5c) (e',o-, (5c> 



{<-c,a,5c) {<-c',a,5'c) 
5c{ch) = {Q,[],g) 

{<-ch,a,dc) I >g {v,a,dc) 



5c{ch) — (n, [v] l,g) n > 
(<-ch, a, Sc) n-g {v, a, Sc[ch 1-^ (n, /, g)]) 

Table 8. Transition Rules for Expressions 



Var retrieves the value of x from local store a. Mak creates a fresh local channel 
ch. Other rules concern receiving from channels. Once the channel expression is 
fully evaluated, the real receive begins following rules RvU and RvB. The value 
received from an unbuffered channel is indicated in the label, while the value 
received from a buffered channel is the "oldest" value of the channel's buffer. 

The local transition system defines transition rules between local configura- 
tions. A local configuration is a tuple {s,a,Sc), where s is the statement to be 
executed, a is the local store and Sc is the channel store. Each Go-routine has its 
own local store, but the channel store is shared by all Go-routines of a running 
program. The local transition relation is presented in Table [3] Two addi- 
tional actions can occur in local transition rules: s{ch,v) for message sending 
over channels and g(/, vi . . . v„ ) for Go- routine creation. 

Subexpression evaluation in Go is strict and leftmost, and this evaluation 
strategy is specified by AsE, SdEI, SdE2, GoE and SlE. For select statement, 
its subexpressions are those in its communication operations — the 61,62 in 
case 6i<-62 : s and the e in case x = <-e : s. 

Rules SdU and SdB capture the behavior of sending over unbuffered and 
buffered channels respectively. Sending a value v over an unbuffered channel ch 
carries a sending label s(ch,v), while sending over buffered channels is silent 
and can proceed as long as the target channel buffer is not full. The Go rule 
says that a go statement does nothing locally and can always proceed with a 
transition with the g label — the label is here simply for notifying the global 
configuration to generate corresponding Go-routines. Ass assigns v to variable 
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Ass (x = V, a, (5c) ^9 (nil, a[x i->- v],dc) 

{e,a,6c} A-g {e',a,5'^) 

AsE 

(a; = e, a, 6c) {x = e', a, 6'^} 

Sc{ch) = iO,l],g) 

s{ch,v) 

{ch<-v,a,5c) ' ^9 {nil, a, Sc) 

Sc(ch) = {n,l, g); n > 0; \l\ <n 
SdB \ / \ , 



SdU 



SdEI 



{ch<-v,a,Sc) {ail, a, 5c[ch 1-^ {n, I :: [v],g)]) 

((I, a. i),-} {(\. cr. 6',) 



SlE 



(ei<-e2, 5c) {e\<-e2,(T,6'c) 

{e2,a,Sc) (e2,o-, 5c) 
{ch<-e2,<J,Sc) {ch<-e'2,a,S'^) 

, „ , g(/,I'l •••fn) 
i),Cr, Oc) = i>g 

(ei,g, 5c) A-g {e'i,G,5'c) 

(go f{..Vi--i,ei. .),(!, 5c) Ag (go f{..Vi-i,e'^..),(7,5'c) 
{<-ch, a, 5c) I— >-g {v, a, 5'c); Ci = case x = <-ch : s 

(select {. . . Ci . . . }, (T, 5c) Ag {x = v; s, a, 5'c) 
{ch<-v, a, 5c) ^g (nil, a, 5'c); Ci = case ch<-v : s 
(select {. . . . . . }, CT, 5c) Ag (s, a, 5'c) 

{e,a,5c) Ag (e',cr,5c) 



SdE2 



Go (go f{vi ...v„),a, 5c) ' i>g (nil, a, 5c) 



GoE 



SlR 



SlS 



(select {..Ci..},(7,5c) (select {..c^..}, <t, 5c) 
/ where e is the first non- fully evaluated subexpression \ 
\^ of communication operations in ci . . . Cn / 

(si,a,5c) Ag (si,fT',5c) 

SeqI 



Seq2 



(si; 52,0-, 5c) ^g (si;s2,iT',5i) 

(S2,l7,5c) Ag (S2,0-',5c) 

(nil; S2, (J, 5c) Ag (s^, cr', 5^,) 

Table 9. Local Transition Rules of Go 
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X. Seql and Seq2 specify the sequential execution. In SlR and SlS, the select 
statement picks the i-th clause. 

Global transitions happen between global configurations which contain infor- 
mation of all running Go- routines. A global configuration, denoted by yl, yli . . ., 
is defined as a tuple {F, 6c), where P is a multi-set of statement /local store pairs 
(s, cr), of all running Go-routines, and 6c is the channel store. 

A global transition takes the form 

6fh{ri,6c,) {r2,6c,) 

where (5/ is a mapping from function names to function definitions. A Go program 
will start from an initial configuration {{{sgtart, cTstart)}, 6init), where Sstart is the 
body of the main function start, (Tstart is the local store of start, and 6init is the 
initial channel store. The global transition rules are listed in Table [TUl A global 
action can be either r, r(c/i,w) or s{ch,v). 



{s,a,5c) M>g {s',a',S'^) 

T rtr* 

Sf h (r U {{s, a)}, 4) -^0 {r U {{s', a')}, 50 

T(ch,v) s{ch,v) 

{si,ai,5c) ' >g {si,ai,5c); {s2,a2,Sc) « >g {s2,cr2,5c) 

°" ^ (ru{(si,ai),(s2,cr2)},5c> {ru{{s[,ai),{s'2,a2)},5,) 

{s,o-,Sc) ' -^g {s ,a,5c); Sf{f) = {fuac f{xi . . .Xm) {sf}) 

5f\-{rU {{S,a)},5c) ^g (r U {(s',Cr), {Sf, [xi ^ Vl . . . Xm 1-^ V„i.])},Sc) 

{s,a,Sc)^^^^g {s',a,5,); S^ch) ^ {0,[],1) 
GRU 



Sf h (r U {{s, a)}, 4) ^^^g {r U {{s', a)}, 5c) 

5c{ch) = {n,l,l); n>Q; \l\ < n 
GRB 

5f h (r, 5c) (r, 5c[ch ^ (n, I :■ [v], 1)]) 

{s,a,5c) ^ g {s',a,5c); 5c{ch) = {0,[],1); v ^ dom{5c) 
GSUl 

5f h {ru{{s,a)},5c} {ru{{s',a)},5c) 

{s,a,5c) c!!!^^ {s',a,5c); 5.(c/i) = (0, [ ], 1); 5c{ch') = {n' ,1' , g') 
GSU2 

5fh{ru {{s, a)}, 5c) ^'"'> g {r U {{s', a)}, 5c[ch' ^ (n', I', 1)]) 

Sc{ch) = {n, [v] :: I, 1); n > 0; v ^ dom{5c) 
GSBl 

5f h {r, 5c} (r, 5c[ch ^ (n, 1, 1)]) 

Sc{ch) = (n, [ch'] :: Z, 1); n> 0; 5c{ch') = (n', l',g') 
GSB2 

Sj. h {r,5c) {r,Sc[ch^{n,l,l),ch' ^ (n',/',l)]) 

Table 10. Global Transition Rules of Go 



Log specifies the independent transition of a single Go-routine. Asynchronous 
communication will also take this transition since RvB and SdB are both silent 
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transitions. LGo creates a new Go-routine. Com defines the synchronous commu- 
nication between two Go-routines over unbuffered channels. The rules Loc, LGo 
and Com all specify internal actions of a running program. 

A Go program can communicate with the environment via global channels. 
GRU, GSUl and GSU2 describe how a Go program interact with the environ- 
ment via unbuffered channels, and GRB, GSBl and GSB2 describe interactions 
via buffered channels. Because communication over buffered channels are asyn- 
chronous, the labels in GRB, GSBl and GSB2 indicate how a global channel inter- 
acts with the environment. For instance, in GRB the label r(ch,v) means that 
the channel (buffer) ch receives a value v from the environment. The two rules 
GSU2 and GSB2 also describe how a local channel is exposed to the environment 
and becomes a global channel, by communication upon global channels. The v 
in the label is required only when the value is a local channel {g' = 0). 

Let t — ai . . .On where each a,; is a global action, we write t for the ac- 
tion sequence obtained by eliminating all the occurrences of t in t. We write 
P, B P', B' if P, B ■ ■ ■ ^g P' , 6', aud P, B Ag P', B' if P, B ^^g^g^g 
■ ■ ■ =>g--^cj^g P',B', where =>g is the reflexive and transitive closure of ^g. 

Definition 14. A symmetric binary relation TZ over global configurations is a 
(weak) bisimulation if 

AiTZA2 A Ai A[ then BA'^ . A2 Ag A'^ A A'^UA'^ 

Two global configurations are bisimilar, written as Ai «g A2, if they are related 
by some bisimulation. 

Two Go programs gpi,gp2 are bisimilar, if their initial global configurations 
(with the same 5c) are bisimilar. 

3.2 Encoding 

The encoding of Go in the 7r(,-calculus is achieved by the translation function 
|-]g(r), which maps Go expressions and statements to iTb processes. The param- 
eter r is the name along which the result of an expression is returned or the 
termination of a statement is signaled. The translation function [-Jg is defined 
in Table HH 

In the encoding, we use synchronous communication via local names to ar- 
range the evolution order of Tib processes. For instance, in Recv, the right hand 
side of the composition will not proceed unless the left hand side outputs along 
local name r'. 

Process Var{x, v) denotes variable x whose current value is v. After inputting 
a pair of local names {g,p), one can retrieve the associated value by communi- 
cating on g or update the variable by communicating on p. Process LR evaluates 
these non-fuUy evaluated expressions in an expression sequence in left-to-right 
order by synchronous communication on local names. 
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VDec Var{x,v) = {vt){t{v)\\t{z).x{g,p).(p{y).t{y)\g{z).t{z))) 

L2RE LR(vi ...Vn,r)= f{vi . . . v„) 

LR{. . . e\ . . . e"* . . . , r) = {urit2r2 . . . tmrm.){ 
[ei],(ri)|t2.pl9(r2)|...|t™.[e'"lg(r„) 
I ri{v^).t^.r2{v^) . .■t^-rra{v"')-r{vi ...«„) 

Valu H J, (r ) = r (n) |cfe] ,{r) =r(ch) 
Vari Ia;l9(r) = {vgp){x{g,p).g{z).r{z)) 
RECV l<-eUr) = {vr'){leUr')\r' {y).y{z).r{z)) 
Make |maie(chan t, 0)]g(r) = r.(z/o)f{o) 
[make(chaii t, n)]g(r) = {vb : n)r{b) 

Nil |nil]g(r)=f 

Assi |x = e]g(r) = (i^r') ( |e]g (r') \r' {z) .{ugp) {x{g, p) .p{z) .f) ) 
Send lei<-e2jg{r) = {vr'){LR{ei, 62, r')\r'{y, z).y(z).f) 
SEQU Isi;s2L(r) = K)(IsiL(r')ir'.[s2],(r)) 
Go [go /(ei . . . e„)],(r) = {ur')iLR{ei . . . e„, r') 

• ■ ■ yn) J{yi---yn) -f) 

Sele [select {ci . . . c„}]g(T-) = (i/r')(Li?(ei . . . Cfc, r') 
|r' (yi... -(SCci +--- + SCe J) 




c = 



c s case ei<-ej : s 



case a; 



Table 11. Encoding of Go 



The Buffered 7r-Calculus 19 



Make returns the local name denoting the newly created channel. A receive 
operation corresponds to an input prefix in Recv, while a send operation corre- 
sponds to an output prefix in Send. For the go statement, after evaluating the 
argument expressions, these arguments are sent to the function to which / refers. 
The statement does not wait for the function, rather it outputs the termination 
signal along r immediately. 

For select, suppose ei . . . is these (fully and non-fuUy evaluated) subexpres- 
sions appearing in the communication operation of its clauses listed in lexical 
top-to-bottom and left-to-right order. The encoding first evaluates this expres- 
sion sequence, followed by a guarded choice each of its constituent denotes a 
select clause. The use of guarded choice here seems unavoidable. 

In the encoding, some prefixes and extended new operators are underlined. 
They are the most significant part and will be discussed later. 

The translation function can be extended to a mapping from global config- 
urations (with Sf) to TTf, processes. We write {Ajg for the pair {P,B), where P 
is the encoding of A and 6f, and ;B is a valid buffer store inferred from channel 
store 6c- The extended translation function is shown in Table [T^ 

FDec [func /(xi . . . T„) {s}jg =\,f(zi . . . z„).{uxi . . . x„){ 
Var{x^, zi)\ . . . \Varix„, Zn)\{iyr')lsjgir')) 

LSto [ajg =Y[1^iVar{xi,a{xi)) Xi e dom{a);n = |dom(cr)| 
FENV [6fig = nr=iI'5/(/0L /. G dom{5f)-n^ |dom(5/) I 

GROT R,.^ = Is, a], = {ux){{ur)lslj{r) | [a],) 
GCON |yl]g = l{{{si,ai)...{sn,a„)},5^},Sfjg 

Table 12. Extended {-jg 



The encoding of a function declaration is a replication of input prefix pro- 
cess. Each replica starts by inputting the argument lists along /, followed by a 
composition of processes denoting function parameters and function body. Since 
function does not return anything and a normal function call is forbidden, the 
termination signal is worthless, therefore a local name r' is used in the encoding 
of the function body. 

Rs,(7 represents a Go-routine in which s is to be executed with local store a. 
Each X in X refers to a local variable. In the encoding of a global configuration, 
the names referring to local channels (ch) and functions (/) are local names. 

The valid buffer store Sc is obtained from the channel store 6c in three steps: 
Firstly, prefix a ly symbol to the names referring to local channels in all buffers; 
Secondly, remove these unbuffered channels from the domain of 6c, And finally, 
for any buffered channel ch in the domain of 6c, eliminate the third element g 
from 6c{ch). 
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3.3 Correctness 

The correctness of the encoding is demonstrated by a full abstraction theorem 
with respect to (weak) bisimulation. The following lemma says that a global 
transition may be simulated by a nontrivial sequence of transitions of its encod- 
ing. Usually, the encoding will perform some internal adjustments before and 
after the real simulation. 

Lemma 15. If A A', then {Ajg ^-^^ {A'jg 

The lemma is proved by detailed analyze of the global transition rules one by 
one. 

Proposition 16. Suppose the transition is inferred by global transition rule Loc, 
that is 

{S,<J,S,) ^g {s',<j',6',) 

5/ h (r U {{s, a)}, 5,) ^g (r U {{s', a')}, 5',) 

then 

{i^ch)Rs,a,Sc =>^=> {ych)Rs',a',^'c 
where ch are local channels. 

Proof. Consider the local transition rules which can be applied in the last step 
of the inference of premise. 

Suppose the premise is an instance of local transition rule Ass or SdB, the 
results follows by a detailed analyze on the actions of the encoding. 

Suppose the premise is an instance of AsE, and the premise of this instance 
is an instance of local expression rule Var, Mak or RvB, the results follows by a 
detailed analyze. If the premise of this instance is an instance of local expression 
rule RvE, we prove by induction on the depth of the inference of the premise of 
the instance. Suppose s = x = <-e, s' = x = <-e' where (e, a, 5'^ i— >g (e', cr, 5'^ by 
a shorter inference. By induction 

{iych)Ra;=e,a,Sc =>^=> {uch) R^^e' ,a , S'^ 

From the definition of encoding for a; = e and <-e, it follows that 

{vch)Rx=<-e,<7,5c {vch)Rx=<-e\<y,5'^ 

SdEI, SdE2, GqE, SlR, or SlE are similar to AsE. 

Suppose the premise is an instance of SlS, SeQI or SeQ2, then we prove by 
induction on the depth of the inference of the premise. For SeQI s = Si;S2,s' = 
s'l, S2 where {si,a, 6c) ^g (s'l, cr', S'^) by a shorter inference. By induction 

{vch)Rs^^„Jc {vch)Rs>^^^,,5'c 

From the definition of encoding for si; S2, it follows that 

{vch)Rs^a-,5c {vch)Ra>^a'-,5'c 



SlS and SeQ2 are similar to SeQI. 
This completes the proof. 



□ 
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Proposition 17. Suppose the transition is inferred by global transition rule LGo, 
that is 

<5/ h (r U {(s, a)}, S,) (r U {(s', a), (s/, a/)}, ,5,) 
where Sf{f) — (June f{xi . . . Xm) {sf}) and a/ = [xi vi . . . Xm ^-> Vm], then 

where ch are local channels. 

Proof. Consider the local transition rules which can be applied in the last step 
of the inference of premise. 

Suppose the premise is an instance of local transition rule Go, the results 
follows by a detailed analyze on the actions of the encoding. 

Suppose the premise is an instance of SeQI or SeQ2, then we prove by induc- 
tion on the depth of the inference of the premise. For SeQI s = Si;s2,s' = s[; S2 

gif.Vl ■■■i'm) 

where {si,a,Sc) ' >g {s'j^,(t,Sc) by a shorter inference. By induction 

{,^ch){R,,,„\lSfjg),S, {iych)(Rs'^,„\Rs,,.,\lSfjg),S', 
From the definition of encoding for si; S2, it follows that 

{iych){Rs,.,s,,a\lSfjg),Sc {iych)iRs'^.,s,,a\Rsf^af\lSfjg)J'^ 

SeQ2 are similar to SeQI. 

This completes the proof. □ 

For other global transition, it is similar. 

Conversely, a sequence of transitions of {AJg should reflect certain global 
transitions of A. However it is not always possible, since the simulation may not 
yet complete, even worse the transition sequence simulating one global transi- 
tion may interleave with transition sequences simulating others. Fortunately, by 
observing the proof of the previous lemma, we find that actually only one tran- 
sition in the sequence plays the crucial role, as this transition uniquely identifies 
a global transition. Other r transitions, whether preceding or following this spe- 
cial transition, are internal adjustments which prepare for the special transition 
immediately after them. We call the special transition a simulating transition, 
and the other non-special t transitions preparing transitions. 

Preparing transitions are local synchronous communication between subpro- 
cesses of one single Go-routine (e.g. synchronous communication making subpro- 
cesses evolve in order). To postpone or to advance preparing transitions would 
not affect the behavior of other Go-routines. 

These observations are formulated by the following definitions and lemmas. 

Definition 18. A transition P,B^ P',B' is a simulating transition if the ac- 
tion a is induced by the underlined prefixes and extended new operators .specified 
in the encoding in Table [771 Otherwise, it is a preparing transition. 
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Definition 19. Let A be a global configuration, the set Ta is defined as follows: 
1- ma e Ta 

2. If {P,B) e Ta and {P,B) {P',B) is a preparing transition, then (P',B) G 
Ta 

3. If {P,B) G Ta and {P',B) — ?> {P,B) is a preparing transition, then {P',B) G 
Ta 

Proposition 20. Let A be a global configuration, and {Ajg = (z^c/i)(z//) 
(i?i| . . . \Rn\l6f]g),Sc. Suppose {Ajg 4 P,B, then 

P =B {vch'){vch"){vf ){P^\ . . . |P„| . . . 

where Pi (i < n) is (subprocess of) a descendant of Ri, Pj (j > n) corresponds to 
a newly created Go-routine. Also, {c/i'} C {c/i} and\fch G {ch}\{ch'} . d{vch) G 

t, where d refers to a global channel when K happens. Each name in ch" 

denotes newly created channels during 4. 

Proposition 21. If P,B ^ P',B' is a preparing transition, then 

1. B =B' 

2. It is a preparing transition of i-th Go-routine, i.e. P and P' differs only on 
Pi for some i. 

3. The transition is induced by Pi,B" — )■ P-jB" where B" = B{ch/iych} . 

Lemma 22. IJTaB {P^B) {P',B'), and only is a simulating transi- 

tion, then there exists A' such that 

A A' and {P',B') G Ta' 

Proof By the Definition \M and Propositions HOI and HH □ 
Any of tlie processes in Ta can be seen as tlie encoding of A. 

Lemma 23. // (P, B) gTa and (Q, B) G Ta, then we have [P, B) w (Q, B). 

Proof. The following relation is a bisimulation. 

n = {{{P,B),{Q,B)) I {P,B)eTA^{Q,B)GTA] 
iP,B) {P',B') gTa is trivial. 

Suppose {P,B) ^ {P',B') ^ Ta is a simulating transition. By Lemma 1221 
there exists A' such that 

A^g A' and {P',B')eTA' 



The Buffered 7r-Calculus 23 

Suppose this —>g involves the i-th (and j-th) Go-routine. For {Q^B), perform 

the preparing transitions of the i-th (and j-th) Go-routine, fohowed by we 
have 

(Q,S)^^ {Q',B')eTA' 
The other direction is similar. □ 

As a consequence, bisimulation is preserved by the encoding. 
Theorem 24. Ai Kig Ai if and only if {Aijg w I^2]g- 
Proof. The following relation is a bisimulation up to «. 

n^{{lA,lg,lA2lg) I A, ^g A,} 

Suppose {Aijg ^ {P,Bp) ^ Tai is a simulating transition. By Lemma [22] and 
there exists A'^ such that 

^1 ^g A[ and Ta', 3 {P,Bp) « KJg 
Since Ai K,g A2, there exist A'2 such that 

A2 Ag A', ^g A', 

By Lemma [TS] 

{A^lg 4 mg e Ta', 

The other direction is similar. 

The following relation is a bisimulation. 

7^ = {(^l,yl2) I mg^lA^g} 

Suppose Ai ^g A'l, by Lemma [TCI 

Since ~ [^2]g, there exist {Q,Bq) such that 

lA2jgi>{Q,BQ)^lA[jg 

For each simulating transitions of by Lemma [22l there exists A'2, such that 

A2 Ag A'2 and Ta!, 3 (g, Bq) « 
The other direction is similar. □ 
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Functions: 

/ :~ fun {xi . . . Xn) -> e 

Expressions: 

e, ei, 62, ...::= n Integer 

I id Process id 

I X Variable 

I let X = ei in 62 Let binding 

I apply fn{ei . . . e„) Function application 

I spawn fn [ei . . . e„] Spawn Erlang Process 

I ei ! 62 Sending 

I receive ci . . . c„ receiving 

where Ci, C2, . . . ::= x when ei -> 62 

Table 13. Syntax of Core Erlang 



4 Core Erlang 

We improve the translation mapping showed in |12| by a fully abstract encoding 
in the Ttft-calculus. 

4.1 SyntsLX of Core Erlang 

The syntax of a subset of Core Erlang is presented in Table [TS] 

let binds values to variables, and functions are bound to function names by 
function definitions in the form 

fn^f 

The counterpart of Go-routine in Erlang is the Erlang process. Each Erlang 
process is identified by an unique process id. Moreover every Erlang process is 
associated with a mailbox which is an unbounded ordered sequence. The Erlang 
process is created by the spawn expression. This expression acts almost the same 
as the go statement except that it is an expression and takes the newly created 
Erlang process's id as result. 

Communication in Erlang is asynchronous. Send expression ei ! 62 appends 
message 62, which is also the result of this expression, to the mailbox of the 
Erlang process identified by ei . Receive operation is based on pattern matching. 
The receive clause is deliberately simplified to "a; when ei -> 62", where x is an 
"always march" pattern. Once a receive expression occurs, messages reside in 
the mailbox of the Erlang process evaluating this expression are tried in first- 
to-last order against the clauses ci . . . c„ from left to right. For message v and 
clause c, pattern marching results in x binding to v in ei and 62. If the guard 
expression ei evaluates to the Erlang atom 'true' , matching succeeds, message 
V is deleted (received) from the mailbox, and the result of the expression is the 
result of 62. Otherwise, the next clause will be tried by v. If no more clause left 
for V, that is v does not march any clause, then the next message in mailbox 
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will be used for marching, with v remains in the mailbox. Sometimes none of 
the existing messages matches any clause, in this case receive blocks until new 
message arrives. 

Without loss of generality, we stipulate a Core Erlang program is a set of 
function definitions, in which a function named start is defined. Running a pro- 
gram is equivalent to evaluate spawn start [. . .] with appropriate arguments. 
For the sake of simplicity, we assume the function bodies contain no local vari- 
ables other than function arguments. Note that function name may appear only 
at the function position of spawn or apply expressions in this subset language 
— high-order is not considered. 

4.2 Operational Semantics 

The structural operational semantics of Core Erlang is also defined by a two-level 
labelled transition system: the local transition system specifies the evaluation of 
a single Erlang process in isolation, and the global transition system describes 
the behavior of a running Erlang program. 

The local transition system defines transition rules between local configu- 
rations. A local configuration is a tuple (e,m) where e is the expression to be 
evaluated by Erlang process whose mailbox is m. The local transition rules, 
defined in Table [TU are of the form 

6f, id h (e, m) (e', m') 

where 5/ is a mapping from function names to functions, and id identifies the 
Erlang process evaluating the expression. Actions can be either silent action 
T, sd(i(i, v) denoting send action, or sp(/n, vi . . . u„) denoting Erlang process 
creation 

Subexpression evaluation in Core Erlang is strict, however, in which order a 
sequence of subexpressions are evaluated is not defined. This evaluation strategy 
is specified by LtE, ApE, SpE, SdEI and SdE2. 

Let and App is straightforward. In Spa, the sp label indicates that the new 
Erlang process is identified by id' and the expression it will evaluate is the 
function application apply fn{v). Sending a message to an Erlang process carries 
the sending label sd{id, v), while receiving is silent. The premise of Rev indicates 
that the first suitable message is the fc-th message, and it marches the z-th clause. 

Global transitions happen between global configurations which contain in- 
formation of all running Erlang processes. A global configuration, denoted by 
A,Ai,..., is defined as a tuple {ID,E,6m), where ID and E are the sets of 
ids and expressions, respectively, of all running Erlang processes, and Sm is the 
mailbox store. A mailbox store Sm is a mapping from process ids to pairs (m, g), 
where m is a mailbox (a list) and g is a tag indicating whether (the mailbox of) 
the Erlang process is accessible by an observer (1) or not (0). 

We say an Erlang process is local if it is created during the evaluation of 
a program. The set of local Erlang process ids is exactly the ID of a global 
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Let Sf,id h (let x = v in 62, m) {e2{v/x},m.) 

Sf,id\- (ei,m) (e'i,m') 



LtE 



App 



ApE 



Spa 



5f,id h (let X = ei in 62, m) '—^e (let a; = e[ in 62, m') 

5f(fn) = fun (5) -> e 
5f. id h (apply /n(«),Tn) {e{v/x},m) 

dj,id\ ((',;. m) ^< (^^.m'}: /' t [/)] 

(5/, id h (apply /n(-ei-),m) (apply /n(•e^),tn'> 

id' is fresh 

sp(id' ,/n,{;) 

(5/,idl- (spawn fn [v\,va) < >e {id',m} 



5f,id\- {ei,m) ^e(e-,m'); i £ [n] 

SpE 



SdEI 



SdE2 



Rev 



Sf,id h (spawn fn [■ei-],m) (spawn fn [■e^],m') 

5f,id\- {id ! v.m) < — >e ('f,tn) 

h (ei,m) Ae (ei,m') 
5f,id\- (ei ! 62, tn) Ae (ei ! 62, tn') 
(e2,ni) (62, m') 
(ei ! 62, tn) (ei ! 63, tn') 

/V0</<fcAO<j<n \ 
. (5/,irfl- {e{{m[l]/x^,m) M-e ('false', m) 

VO < j < i 

. 5f,id\- {e{{m[k]/x^,m) ('false', m) 

\(5/,irfl- (ei{m[A;]/x'},m) ( 'true',m) / 
Sf,id h (receive Ci . . . c„, m) {el{m[k]/x^}, tn/[A;]) 
/ where Cj = x^ when e{ -> and tn/[fc] \ 
Y means remove the fc-th element from m J 

Table 14. Local Transition Rules of Core Erlang 
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configuration. All the Erlang processes in the environment (context) are global. 
An local Erlang process is accessible if the environment knows its process id. 
A global transition takes the form 

6f h {IDi,E2,Sra,) {I D2, E2, 5„,,) 

An Erlang program will start from an initial configuration 

init) 

where idstart is a fresh process id, Cstart is the expression obtained from the 
body of start by simultaneously substituting supplied arguments for parameters 
of the function, and Sinn = [idstart '-^ ([ is the initial mailbox store. The 
global transition rules are listed in Table 14.21 A global action can be either r, 
s{id,v) for sending, or r{id,v) for receiving. 



Sf,idh (e, m) (e', m') 
Sf h (JL»,{-e-},5„> {I D, {■€'■}, 5,^[id ^ {m',g)]) 

5/,jdh(e,Tn) < >e (e ,m); id ^ ID; 5f(fn)= fun {x)->e 

Sf h {ID, {-e-}, 5„> {ID U {id'}, {■€"■} U {e'{v/x}}, <5^K ^ ([ 1,0)]) 

Sf,id\- (e, m) ' — ^- — '—^e (e', m); id' e ID; 5m{id') = {m' ,g') 
Sf h {ID,{-e-},S^) {ID,{-e'-},5^[id' ^ (m' :: Hg')]) 

^ Sf, id h (e, m) = >e (e , m); id /D; v ^ /_D 

5/ h {ID,{-e-},Srr.) i*!^, {.£'.}, 

^ (5/,idl- (e,m) ''"''"^ '"' \ e (e',m); id' ^ JD; id" e /D; Sm{id") = {m',g') 

Sf h {ID,{-e-},S^) ''"'■"""'> e {-e'-}, 5„[id" ^ (m',1)]) 
id G 7D; 5™ (id) = (m, 1) 

Sf h {ID,E,5m) II^, {ID,E,Sm[id^ {m:: [«],!)]) 

Table 15. Global Transition Rules of Core Erlang 



Log specifies the independent evaluation of an Erlang process. Receive op- 
eration will also take this transition since Rev is a silent local transition. LSp 
creates a new Erlang process. LSd defines the sending operation between two 
local Erlang processes. The rules Log, LSp and LSd all specify internal actions of 
a running program. 

The labels in GSDl, GSD2 and GRV indicate how an Erlang program interacts 
with the environment. An Erlang program can send values to the environment 
via global Erlang process ids, this behavior is captured by GSDl and GSD2. The 
latter also describe how an inaccessible Erlang process becomes an accessible 
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one. Note that the v symbol in the label s{id' ^md") in GSd2 is required only 
when id" denotes an unaccessible Erlang process, i.e., g' = 0. The environment 
can also send values to an accessible Erlang program via its ids. In GRv the label 
r(i(i, v) actually means that the accessible Erlang process id "receives" a value 
V from the environment. 

Definition 25. A symmetric binary relation TZ over global configurations is a 
(weak) bisimulation if 

yll7^yl2 A Ai A[ then BA'^ . A2 ^2 A A'^TZA'^ 

Two global configurations are bisimilar, written as Ai A2, if they are related 
by some bisimulation. 

Two Erlang programs epi, ep2 are bisimilar, if their initial global configurations 
(with the same Sm) are bisimilar. 

4.3 Encoding of Core Erlang 

The encoding of Core Erlang in vrt, calculus is achieved by the translation function 
[e]e(a,p, J'). This function, defined in Table [TBI takes three parameter: the first 
parameter a stands for the id and the "input port" of the mailbox of the Erlang 
process evaluating e; the "output port" of the mailbox is obtained from the 
second parameter p; and the result of e is returned along the last parameter r. 

In Spaw, the input port (also the process id) and the output port of the 
new Erlang process's mailbox is a' and b' respectively. Result of the function 
application is returned via local name r' and hence simply dropped. 

Receive We use the following algorithm to simulate one receive operation. 

The algorithm uses two buffered names for each receive — a newly created 
buffered name and the buffered name created by a previously receive. From 
the viewpoint of a receiver, the latter is the output port of the mailbox from 
which messages are retrieved. Once the receive operation succeeds, the former 
will become the output port of the mailbox. The encoding of receive expression 
is basically the implementation of the algorithm in the TTb-calculus 

In Recv, the previous buffered name, say b, is saved in the second parameter of 
the translation function (p). After creating a new buffered name b' , process RH 
is triggered. Receive handle process RH fetches a message from mailbox b and 
passes it to the first clause process for matching. Clause process RCc{s, s') gets 
the message from its first parameter. If guard expression evaluates to 'true', 
matching succeeds. The corresponding clause body process begins its evaluation 
with the previous buffered name changed to b' and a copying process Cp carries 
all remaining messages from the old mailbox to the new one. Otherwise, the 
message is passed along the second parameter to the next clause process for 
matching. If the message does not match the last clause, it is passed back to RH 
which then inserts the message to the new mailbox b' and starts the matching 
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AtLi |a/]e(a,p, r) —r{al) 
Vari lx\e.{a,p,r) = r{x) 

Let [let x ^ e-i in e2]e(a, p, r) = (t^r')([ei]e(a,p, r') | r-'(x) .|e2le(a, p, r)) 

Appl [apply /n(ei . . . e„)]e(a,p, r) = (//n . . . r„)(|eile(a,p, ri)| . . . | Ie„]e(a,p, r„) 

ri(zi) . . . rn{z„). fn{a,p,r,zi . . . Zn) ) 
Spaw [spawn fn [a . . . e„]]e(a, p, r) = {un . . .r„){[eije{a,p,ri)\ . . . \[e„je{a,p,r„) 

\ri{zi) . . . rn{zn).{uh' : oo){va'p'r'){ 

Cpja', b')\P{b')\ Ma',p', r', zi . . . z„) .r{a')) 
Send [ei ! e2je{a,p,r) = (i/rir2)(|ei]e(a,p, ri)||e2le(a,P, r2)|ri(y).r2(2).y(z).r(z)) 
Recv [receive Ci . . . c„]e(a,p, r) = p{b).{iyb' : oo){vtsi . . . s„+i)( 

t\mH\\RCcAsi, S2)\ ■ ■ .imccjs^, s„+i)) 

RH = t.b{z).sT{z)\s„+i{z)]7{z).t 
RCc{s,s') = s{x).{ur')He^U<^,p,r')\r'{y) 

.if y= 'true' then le2je{a,p,r)\Cp{b,b')\p{b') else 5^(2;)) 
Cp(c,6) = I ! t.c{z)]){z).t) 

Table 16. Encoding of Core Erlang 



1. Suppose the previous buffered name is b. Create a new buffered name 6'. 

2. Retrieve a message v from 6, pattern match v against the first clause. 

3. Pattern match v against clause {x when ei -> 62), substitute v for each free x in ei 
and 62. If ei evaluates to 'true', goto SI otherwise pattern match v against the 
next clause, gotoO If no clause remains, insert v into b' and goto [J] 

4. Set the previous buffer to b' , copy all remaining messages from 6 to evaluate 62. 



Table 17. Receive Algorithm 
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of the next message. In the encoding, RC is guarded by its first parameter s, 
and all RCs are chained together by local names si . . .s„+i. A clause process 
cannot proceed unless the matching of the previous clause failed. 

In general, we have the following proposition concerning the mailbox. 

Proposition 26. A mailbox is explicitly modelled as follows 

M{a, fe") = Cp{a, b)\Cp{b, b^)\ . . . |Cp(6"-i, 6") 

where a and fe" are input and output ports of the mailbox. Each buffered V 
(j > 1) is created by one receive operation, and the first buffered b is created 
by the spawn expression. Send expressions insert messages into the mailbox via 
input port a, while receive expressions retrieve messages from the mailbox via 
output port 6" . 

Configuration The translation function can be extended to a mapping from 
global configurations (with 5f) to TTf, processes. We write [/IJe for the pair (P, B), 
where P is the encoding of A and 5 / , and B is a valid buffer store inferred from 
mailbox store 5m . The extended translation function is shown in Table 1181 

FDef [fn = fun {xi . . .Xn) -> eje =\fn{a,p,r,xi . . . x„).[eje{a,p,r) 

FENV [Sfj, = n:=i['5/(/01e /. e dom{Sfy,n= \dom{5f) I 

EPro 7?e,n,(a) = {upr){ubb\..b''){lel4a,p,r) \ pib") | >1(a,fe'=)) 
ECQN lAj, = l{ID,E,5^),5f], 

= (;/a)(///n)(_Rei,mi(ai)| . . . |-Re„,m„ (an)||5/]e), 5m 

Table 18. Extended [-je 



The encoding of a function definition is a replication of input prefix process. 
Each replica starts by inputting the argument lists along fn, followed by the 
processes denoting the function body. 

Re,m (a) represents an Erlang Process (a) ready to evaluate expression e with 
mailbox m whose input port is a. In the encoding of a global configuration, 
the names referring to local Erlang Processes which are not accessible (a) and 
functions {fn) are local names. 

4.4 Correctness 

The correctness of the encoding can be demonstrated by a similar analyze as 
Go. The following lemma says substitution for free variables can be postponed 
to after the encoding. 



Lemma 27. 



le{x/v}je{a,p,r) = {leje{a,p,r)){x/v} 
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Proof. Simple induction on the structure of e. 
Theorem 28. If 6f h A Ae A', then |yl]e IA% 

Proposition 29. Suppose the transition is inferred by global transition rule Loc, 
that is 

<)f, id \- {('. m) ((;'. m') 



6f h {ID,{-e-},6m) {ID,{-e'-},6m[id^{m',g)]) 

then 

where a are local non- accessible Erlang Processes, and 8'^ — im^d ^ (m',5)]. 

Proof. We prove by simultaneous induction on the depth of inference of the 
premises. Consider the local transition rules applied in the last step of the infer- 
ence of premise. 

For Rev: Suppose e = receive c\. . . c„; e' = e2{m[A:]/x'}; m' = tn/[A:], where 

VO < / < fc A < i < n. 5f,id^ {e{{m[l]/x^},m) ('false', m) 
VO < j < i. 5f,id h {e{{m[k]/x3},m) ('false', m) 
6f,id\- {e\{m[k]/x^},m) ('true',m) 

by a shorter inference. By induction 

\fO <l<k A0< J <n. (J^a)^e|{n,[,]/^,},„(a),^ (j^a)i?'faise',m(a), 

VO < j < i. (!^a)i?el{m[fc]/a;J},m(")'^ ^^=^ (l'a)i?.falseSm(a), i3 
('^a)-Rel{m[/c]/x-},m(a).^ (z/a)ii.true',m(a), S 

From the definition of encoding for receive ci . . . c^^, it follows tliH-t 

= (vpr){vbh^ . . .6*=) ([receive Ci . . .c.a}e{a,p,r)\p{h^)\M{a,b'')),5m 
{upr){ubb^ ...b''+^) 

{lei{m[k]/x'}Ua,P, r)\p{b'^+^)\Mia, 6'=)|Cp(6^ 6'=+i)), 5^ 

Other cases are similar. □ 

Proposition 30. Suppose the transition is inferred by global transition rule LSp, 
that is 

Sf,idh- (e,m) = — -^e (e ,m); id ^ ID 

6f h (ID, {-e-}, 6m) {ID U {id'}, {-e"-} U {e'{v/x}}, 6'J 

where 6f{fn) = fun (x) -> e' and 5'^ = 5m[id' ^ ([ ],0)], then 

{va){Re,m{a)\{5fle),5m =>^=> (z^ao")(-Re",m(a)|-Re'{C/x},[ ] («") I I^/le), "^m 
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For other global transition, it is similar. 

Although argument evaluation is strict in Core Erlang, the evaluation order 
of a sequence of argument expressions is undefined. In the encoding, besides 
the interleaving between transitions of many Erlang processes, interleaving also 
exists inside one single Erlang process — between the transitions simulating ar- 
gument evaluation. This interleaving is not serious, since except for receive and 
send, expression evaluation has no side effect, the transitions of one argument 
process will not affect the behavior of others. For receive, the input prefix p{b) 
also acts as a semaphore which prevents two receive operations run in parallel. 
For send, it may only affect the behavior of receive. But according to the op- 
erational semantics, receive expression would proceed unless a legal message is 
already in the mailbox. Hence the interleaving of transition simulating send and 
receive expression can be rearranged in a non-interleaving way. 

Definition 31. A transition P^B ^ P',B' is a simulating transition if the 
action a is induced by underlined prefixes specified in Table \16] Otherwise, it is 

1-1 11 1 1 1 ( 'true ') 

a preparing transition, tor receive, only the transition — > induced by >■ 

is a simulating transition. 

Definition 32. Let A be a global configuration, the set Ta is defined as follows: 

1. lA\e e Ta 

2. If {P, B) eTa and [P, B) ^ (P', B') is a preparing transition, then (F', B') G 
Ta 

Lemma 33. IfTA^ (PjB) =>-2-s> (P',B'), and only is a simulating transi- 
tion, then there exists A' such that 

A-^eA' and {P',B')eTA' 

Any of the processes in Ta can be seen as the encoding of A. 
Lemma 34. // (P, B) e Ta and (Q, B') e Ta, then we have (P, B) (Q, B') 

As a consequence, bisimulation is preserved by the encoding. 
Theorem 35. Ai A2 if and only if |/li]e « |yl2]e 

5 Conclusion and Future Work 

We have presented the 7rf,-calculus which extends the 7r-calculus by buffered 
names. Communication along buffered names is asynchronous, i.e. native support 
of asynchronous communication. After presenting its syntax and semantics, we 
give out a full abstract encoding of the TTf, calculus in the traditional poayadic tt- 
calculus with respect to strong bisimulation. It is obvious that the new calculus 
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does not increase the expressive power. However, in contrast to the 7r-calculus 
which is hard to use in practice, it enables easy and clear modeling of practical 
concurrent languages. Specifically, we have provided encodings of two real-world 
concurrent languages — the (core) Go language and the Core Erlang — in 
the buffered 7r-calculus. Both encodings are fully abstract with respect to weak 
bisimulations. 

The transition rules of the 7rf,-calculus are a bit complicated compared with 
that of the 7r-calculus. We aim at applying the new language for modeling and 
verifying large distributed and concurrent systems with asynchronous message 
passing-like communication by automatic computer programs. One line of future 
work is to develop such programs. We may extend existing tools such as Pict [T3], 
MWB [TB] or the HD Automata Laboratory [5^ to handle the 7rf,-Calculus. 

Since weak bisimulation is not sufficient to demonstrate program equiva- 
lence, we may expect some full abstraction encodings with respect to branching 
bisimulation, or even strong bisimulation. 
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A Proofs 

Proof of Lemma [5] 

Proof. We prove by induction on the depth of inference tree of the condition. 
Consider each rule in Table [21 

lU, OU, IB, OB, IBG, OBG and NewB* are the base step. 

lU P = a{x).P"; a = a{d); P' = P"{d/x}; B' ^ B 

[P,S] =ai(xi,:r2).lP"l|IS] ^^^^ {P"\{d^,d2/x^,X2}\lB\ = {P\B\ 
OU P = a{d).P'- a a{d);B' ^ B 

{P,Bl=-2{di.d2).{P'mB\ IP'IIIS] = |P',B] 

IB P = b{x).P"; a = T:P' = P"{d/x}; B{b) = {n, [d] :: l);B' = B[b ^ {n, I)] 

IP,B] = 6l(xi,X2).[P"l|P„J(,,,d.)]::L,(&l,62)|[i?\61 
IP,B] ^ lP"j{di,d2/x,,X2}\Fr,,LXbl,h)\lB\bj = lP',B'j 

OB P = b{d).P'; a^T- B{b) = {n, l);B' = B[b ^ {n, I :: [d])] 
IP, B] = V2{d, , d2 ) . [P'l I P„,L, (6l , 62) I lB\b] 

IP,B] A [P'l I P„^L,.[(d„d,)](6i,62) I lB\bl = IP',Z?'1 
IBG P' ^P-a^ b{d); B{b) = (n, l)-B' = B[b ^ (n, I :: [d])] 

|P,fil = (z^ciC2)(|Ql I I P„,L,(6i,&2)) 

where {c} = U (dom(;B) n ln{P)),P =b ivc)Q. Since b e dom{B) and 

b ^ ln{P), then b ^ {c} 

|p,B] ^2-*^^ {^C,C2){M I I ^^„,L,::[(d„..)](&l,&2)) = [P' , B'] 

OBG P' = P;a^ b{d);B{b) = (n, [d] :: 0; B[b ^ (n, ?)] 

IP,B] = (^^d-lC2)([Q] I le{c/i.5}\6] I P„,[rf„d.]::L,(fol,62)) 
|p,6] ^i^^ (^CiC2)(|Ql I lB{c/,.c}\bj I P„,L,(&1,&2)) = IP',B'] 

NewB* P ={vb: n)Pi;P' = {vb)Pi;a^ t;B' = B[b ^ {n,l)] where I = [] 

|P£?l = KiC2)|Q,B{c/z.a}] 

= ii^c\c2){{iyb,b2)T.{m I P„,L, (&i,&2)) I 

where {c} = ^^(B) U (dom(B) n ln{P)),P =b {v£)Q and Q ^ {vb : n)Q' . Since 
6 ^ dom(B), then & ^ n{B) 

IP,B] ^ (i^c-iC2)(z^6i62)(IQ'l I i^n,L,(6i,62) | IB{c7;.c}]) = |P',B[6k^ 
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Sum P = J2iei ^^i-P^ T^j-Pj,^ ^ P', By induction, 

hj.Pj,Bj = hj.Pjl I IB]^IP',B'1 

iP,Bl = Y,l^^.P^l I m ^ iP',B'j 

Par P = Pi I P2; Pi, B Pi, B'; P' = Pi | P2. By induction 

[Pi,s] = |Pii I m ^ iPi,B'j = iPi] I m 

Since new operators axe guarded in Pi \ P2, the transition does not involve any 
local names, hence B' does not contain any local names either. 

[p,s] = |Pi] 1 1P2] I m ^ lA'i I iP2} I m = m i P2,B'j 

Com P = Pi I P2; Pi, B Pi, B; P2, B ^ P^, B; P' = Pi \ Pf,; B' = B. By 
induction, 

iPi,B] = iPii I m ^i^^ iPi,Bi = {Pii I m 
iP2,Bi = [P2] I m ip^,s] = [Pi'i I m 

Hence 

[p,Bi = iPii 1 1P2I I [Bj ^ m I [^'2! I m = ip[ I P2,^\ 

New* P = {vc)Pi;Pi,B{c/vc} ^ P2,B";P' = {vc)P2;B' = B"{vc/c]. Sup- 
pose c ^ ln{B) U (doin(B) fl ln{P)), the encoding is as follows 

[P,S] = {vdMQMd/^d}} = (i^dirf2)((j^ciC2)[g'l I lB{d/ud}]) 

where {d} = ln{B), P =b {vd)Q and Q = {vcjQ' . Since c ^ gn{B), we can move 
the {1/0102) to the outermost level. 

IP, SI = KiC2)(i^dlrf2)(IQ'] I lB{d/,/d}]) = (i.Ci,C2)IPl,S{c/i.c}l 

By induction, 

lP,,B{c/uo}]^lP2,B"l 
ci,C2 ^ n{M{a)), since c ^ n(a), then 

|p,B] ^ (l/Ci,C2)[P2,S"] = 1{^C)P2,B"{PC/C}j 

The last = is because c ^ gfn(B"{z/c/c}) and c ^ ln{B"). 

Open* P = (z/c)P"; B' = B{c/z/c}; P", B' P', S'; a = d{uc) 
As in New*, 

[P,B] = (i.ci,C2)lP",B'] 
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By induction, 

IP\B'\ 

Stru The result follows from Lemma [S] □ 

Proof of Lemma [TU] 

Proof. We prove by induction on the size of P. Consider the structure of P: 
For input prefix. P — c{x).P' and ln{B) ~ 0. 

{PM=cii^i.^2).{P'\ I {B\^R 

If c ^dom(B), 

|P,i5j fiifi:^ | [^1 = lP'{d/x],B} 

If c G dom(B), the encoding may also perform this action. However, only the 

buffer process i^n,L(ci, C2) is able to perform the complementary ^' ^\ action, 
hence if c is a buffered names, we only need to consider the following transition: 

{P,B\ A lP']{di,d2/xi,X2} I F„,i,(ci,C2) I lB\c\) = lP'{dlx}Mc^M\\ 

where B{c) = (n, [d] :: I). 

For output prefix. P ~ c{d).P' and ln{B) = 0. 

{PM=^{d^,d^)■lP'\ I {B\^R 

If c^dom(K), 

iP,s]^^^^^[p'i I m = iP',B} 

If c 6 dom(S) and B{c) = {n, I) where \l \ < n 

IP,B] A I F,,^Lr.:l(d^.d2)]icl,C2) I lB\cj = lP',B[c^{n,l:: [d])]] 
For summation. P — J^iei Pi ln{B) — 0. 

{P,B\=Y,{P,\ I {B\^R 
iei 

This M{a) may be an action of alone, or communication between 

^^'^ case, suppose |Pj] ^ R', then 
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By induction, Pj,B P^,B' and R = By Sum 

For parallel composition. P = Pi \ P2 and ln{B) = 

[p,Bi = [Pi] I [P2] I m^R 

This M{a) may be induced by |Pi](or IP2]) alone, or communication between 
|Pi] and |P2l. For the former, suppose 

iPi,B| = iPii I m^R' 

By induction 

Pi, B A Pi,B' and R' = {Pi, B'j 

Consider the following cases regarding B': if c e ln{B'), this means Pi sends a 
local name c to B. Then Pi =b (z^c)Pi", Pi =b {iyc)Pi" and 

[Pi, SI ^ {ucuC2){lPi"l I [B'{c/i^c}]) 

Suppose c does not occur in P2 (if it does, rename c to a name not occur in P2), 
we have 

IP,B] ^ (j.ci,c2)(lPn I IP2I I Wic/i^c}]) = IP", B'j 

Pi I P2 I P2) {^C){P^ I P2),S ^ P",S' 

where P" = (i^c)(P{" | P2). If ln{B') = 0, then 

[Pi,Sl^lPi'l I IB'] 

[p,Bi ^ [p{] 1 1P21 1 m = m I P2,B'i 

Pi I P2,B^Pi I P2,B' 

If M(q;) is a communication action between |Pi] and |P2l- Suppose 
iP^^Bj^^^^Ri IP2,BI^^^R2 

By induction 

Pi,B^Pi,B P2,B ^Pi,B and Ri = [Pi, B] P2 = IP^,B] 
Therefore 

Pi I P2,B^P{ I P^,B 

iPi I P2,B1 A iPi'l I IP^I I IB] = {Pi 1 P^,B1 
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For new process. P = {va)P' , Suppose a ^ gn{B) 

[P,B| = {vaua2){lP',B{a/va}l) ^ R 
If a ^ n{a), we have 

lP',B{a/va}\^^R' 

By induction, P', B{a/va] A P", B' and R' = |P", B'}. Since P = (mi, a2)P' = 
(i/ai,02)|P",S']. Suppose a ^ ln{B'), by rule New* 

(m)P',B ^ {ua)P",B'{iya/a} 

R=l{ua)P",B'{ua/a}l 

Suppose a G ln{B'), this means P' outputs a new name a (not tlio outermost va 
of P) to the buffer, then a ^ ln{B) since a ^ gn{B{a/va\), also a is not a free 
name of P'. Choose a fresh name a' such that N{a') = {a'i,a'2) and 02,03 are 
fresh names in |P,B], then P = (m'l, 4)IP", S'] 

(m)P' =B (i/a')P' 
(m')P',S A (m')P",B' 
R=l{va')P",B'\ 
If a e n(a) i.e. a = a'{ua), we have 

|P ,D|a/m|| > R 

By induction, R = |P",S{a/m}l and P',B{a/zva} P",B{a/va}. By rule 

Open* 

{va)P',B^ P",B{a/iya} 

Suppose a G gn{B) {a ^ ln{B)), the above equations are also valid after appro- 
priate a-conversiton of (i/oi, 02), and this a-conversion corresponds to renaming 
of a in P. 

(m)P' =s (m')P'{a7a} 

where a' is a fresh name. 

For extended new process. P = {ub : n)P'. 

[P,S] = {,yd,d2){{iyhh)T.{m I P„,L,(6i,&2)) I iB{d/,^d}j) ^ 

where / = [ ] . The process the following transition 

IP,B] ^ {udj2){{iybub2){m I Fr,,L,{bl,b2)) \ lB{d/ud}j) 
Suppose b ^ doin(B), then b ^ n(B), 

P,B ^ P',B[b^ {ri,l)] 
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lP,Bj A Mid2)(i^6i,62)(ig'] I K,L,(&i,&2) I lB{d/i^d}j) = lP',B[b^{n,l)]} 

Suppose b G dom(B), the equations arc also valid after appropriate a-conversion 
of {i'bib2), and this a-convcrsion corresponds to renaming of b in P. 
For replication. P =\P' = P' \ \P' and ln{B) = 0. 

[!P',B| =![P'] I m =B IP'} I I m = IP' I 
For any process P, if c € doin(B) and c ^ ln{P), then 

|P,S] = (l/dld2)([Ql I I6{d7l^d}Vl I Pn,L,(Cl,C2)) 

Suppose B(c) = (n, Z) and U I < n, then 

|p,Sl ^^^^ (^dld2)(lg] I [S{dM\c] I P„,L,::[(d„<i.)](ci,C2)) 

P,B^P,S[c^ (n,Z :: [rf])] 
Suppose B(c) = (n, [d\ :: Z'), then 

|p,i3] (l/dld2)([Q] I [B{JM\C] I P„,L,,(Cl,C2)) 

P,B^P,S[c^ (n,0] 
This completes the proof. □ 



